Firewall and SELinux

Firewall:

[1] It is possible to show the Service Status of Firewall as follows. (enabled by default)

[[email protected] ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-09-24 03:29:51 +03; 19h ago
     Docs: man:firewalld(1)
 Main PID: 703 (firewalld)
    Tasks: 4 (limit: 4915)
   Memory: 42.9M
   CGroup: /system.slice/firewalld.service
           └─703 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Sep 24 03:29:49 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon.
Sep 24 03:29:51 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

[2] You can use firewall-cmd only with firewalld service enabled. To list all records:

[[email protected] ~]# firewall-cmd --list-all
public (active)          # active zone
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client mdns ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[3] List all zones.

[[email protected] ~]# firewall-cmd --list-all-zones
FutureServer
  target: default
...

FutureWorkstation
  target: default
...

block
  target: %%REJECT%%
...

dmz
  target: default
...

drop
  target: DROP
...

external
  target: default
...

home
  target: default
...

internal
  target: default
...

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client mdns ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

trusted
  target: ACCEPT
...

work
  target: default
...

[4] Set default zone.

[[email protected] ~]# firewall-cmd --set-default-zone public
success
[[email protected] ~]# firewall-cmd --reload
success

[5] Permanently allow access to a service. (If --permanent is not added, it will be deleted on the next reload of the rules.)

[[email protected]localhost ~]# firewall-cmd --zone=public --permanent --add-service=http
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-service
dhcpv6-client mdns ssh http

[6] Remove access to a service.

[[email protected] ~]# firewall-cmd --zone=public --permanent --remove-service=http
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-service
dhcpv6-client mdns ssh

[7] Permanently allow access to a port.

[[email protected] ~]# firewall-cmd --zone=public --permanent --add-port=2222/tcp
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-port
2222/tcp

[8] Remove access to a port.

[[email protected] ~]# firewall-cmd --zone=public --permanent --remove-port=2222/tcp
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-port
 

SELinux:

[1] It's possible to show Status of SELinux (Security-Enhanced Linux) like follows. (enabled by default)

[[email protected] ~]# getenforce
Enforcing

[2] If SELinux function does not need for you because of some reasons like that your server is running only in Local safety Network or others, it's possbile to disable it like follows.

[[email protected] ~]# sed -i "s|SELINUX=enforcing|SELINUX=disabled|" /etc/selinux/config
[[email protected] ~]# cat /etc/selinux/config
...
SELINUX=disabled
...
[[email protected] ~]# reboot

[3] Activating SELinux.

[[email protected] ~]# sed -i "s|SELINUX=disabled|SELINUX=enforcing|" /etc/selinux/config
[[email protected] ~]# touch /.autorelabel    # SELinux relabeling is set on the next system boot.
[[email protected] ~]# reboot

[4] Disable SELinux at runtime.

[[email protected] ~]# setenforce 0